An application package found in certain HTC Android phones allows apps with …

Share this story

A security hole found in some HTC Android phones could give apps with Internet permissions access to information like a user’s location and their text messages, Android Police reported today. The vulnerability is part of HTC’s Sense UI and affects a subset of the brand’s most popular phones, including the HTC Thunderbolt and the EVO 4G.

When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping, as shown by a proof-of-concept app that Android Police researchers developed.

The authors note that the flaw can’t be fixed in the stock Sense UI without an update or patch from HTC. The owners of the relevant phones (a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete HTCLoggers from their devices if they root the phones.

While the report doesn’t note any concrete examples of nefarious use of the HTCLogger data, this is far more access than Google allows via Android by default—typically, the OS doesn’t let information of this type off a device without direct consent. HTC has made no official reply to inquiries from the researchers, and did not respond immediately to Ars’ requests for comment.

Update: HTC has responded to Ars with the following statement: "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Share this story

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston